In message <53504c18.7050...@matthew.at>, Matthew Kaufman writes: > On 4/17/2014 1:45 PM, George Herbert wrote: > > This is why listening to operators is important. > > Why start now? After all, most of the useful input operators could have > provided would have been much more useful at the beginning. > > Matthew Kaufman
NAT from a firewall perspective is "default deny in". As far as I can tell no one is arguing that a firewall should not support that. Now mangling the addresses and ports is not a firewall's job. Its never has been a firewall's job. That is what a NAT box does. Now sometimes a NAT and Firewall are implemented in the same hardware and people fail to make the distinction. As for doing the same as v4 in a firewall for v6, only a idiot would do that, as it will often break IPv6. There are rules, often deployed in v4, that are mostly harmless to IPv4 but will totally break IPv6. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
